The clarified International Standards on Auditing (ISAs) issued by the International Auditing and Assurance Standards Board are effective for audits of accounting periods starting on or after 15 December 2009 (for the UK, periods ending on or after 15 December 2010). For many auditors the performance of their first engagements under the new ISAs are therefore imminent and need to be supported by relevant training and changes to the audit methodology adopted.
The clarified ISAs may cause practitioners some concern. After all, the new standards are longer, two new standards have been introduced (ISA 265 on communication of deficiencies in internal control, and ISA 450 on the evaluation of misstatements), 12 other ISAs have been revised, and some of the guidance material in the current standards have been elevated to requirements. However, the actual impact of the new standards on current audit practice is not as extensive as the changes brought about by the adoption of the current ISAs.
In fact, the clarified ISAs confirm that the main focus of the performance of an audit engagement should be the adoption of a risk-based approach that requires the exercise of professional judgment and the maintenance of professional scepticism throughout the audit.
For that purpose each standard identifies specific objectives, requirements and separate application and explanatory material that guide the auditor in identifying and assessing risks of material misstatement, in obtaining sufficient appropriate audit evidence by designing appropriate responses to the assessed risks, and in forming an opinion on the basis of the evidence obtained.
This article illustrates how a risk-based approach can be adopted for an audit performed under clarified ISAs and what impact some of the new requirements introduced can have on current audit practice.
The importance of planning
Planning is paramount in the performance of a risk-based audit and the most relevant ISAs for such a purpose - namely, ISA 300, Planning an Audit of Financial Statements, ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and the Environment and ISA 330, The Auditor's Responses to Assessed Risks - have not been materially changed.
ISA 315 in particular requires the auditor to identify risks throughout the process of obtaining an understanding of the entity and its environment and to assess the potential impact of such risks on the accounts as a whole and on specific assertions.
The risk identification process should start from developing knowledge of the nature, characteristics and dynamics of the entity and of the environment in which it operates and then move to the assessment of the potential effect in terms of misstatement that such risks could have on the financial statements, rather than following the contrary route of starting to assess risk by reading the financial statements, which could result in missing relevant and pervasive risks relating to industry/entity-specific circumstances.
To achieve the objective above the auditor should obtain, among other things, an understanding of the following issues:
- The factors at play in the industry sector in which the entity operates - market size, level of competition, supplier and customer relationships.
- Regulatory factors such as significant laws and regulations, which could be general, or industry-specific, such as environmental requirements for an industry, general employment legislation, health and safety regulations and the applicable financial reporting framework.
- Relevant external factors affecting the entity such as general economic conditions, interest rates and the availability of finance.
- The nature and history of the entity, including its operations, revenue sources, products, services, markets served, key personnel, locations, ownership structure, business investments under way or planned, key customers, key suppliers and its financing structure.
- The selection, application and appropriateness of the accounting policies used by the entity and reasons for any changes.
- Objectives and strategies of the entity and related business risks.
- Review of the entity's financial performance.
Another important element of the entity that the auditor needs to obtain an understanding of, in order to identify possible sources of risk, are internal controls put in place by the entity to ensure the reliability of financial reporting, the effectiveness and efficiency of operations and the compliance with applicable laws and regulations. ISA 315 highlights the five following components:
- the control environment
- the entity's risk assessment process
- the information system, including business processes, relevant to financial reporting
- control activities relevant to the audit
- monitoring of controls.
Although all components of internal control can be relevant to audit, the control environment, intended as the culture created and fostered by management in respect of integrity, ethics, attitude towards control, commitment to employee competence, communication of values, risk management, assignment of authority and responsibility, can be seen as the foundation for the other components of internal control.
The nature of the control environment pervades the entity and positively or negatively impacts the effectiveness of other controls applied to the entity's transactions. In fact, deficiencies in the control environment undermine other controls, even if properly designed, as override can happen more easily, while a positive control environment is conducive to a stronger internal control. It is therefore important to obtain an understanding of the control environment in most or all engagements, especially for smaller entities where controls may be informal.
Risks and responses will be embodied in a consistent audit strategy and a detailed audit plan that will be duly documented. Auditors unfamiliar with the above process should be reminded of the importance of planning and of its direction that should go from the consideration of the entity, its internal control and its environment to the accounts. An auditor who starts planning from the financial statements may easily end up on the wrong track.
Some clarified ISA changes relevant to planning have been introduced in a number of revised and new ISAs.
ISA 320 on materiality introduces a requirement to determine performance materiality at a level below that determined for the financial statements as a whole. Although the concept of performance materiality was not expressly formulated in the previous ISAs, it was widely adopted in practice by the use of such benchmarks as working materiality and tolerable error.
ISA 320 formally defines it as ‘the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole'. The concept would also apply to the materiality level set for particular classes of transactions, account balances or disclosures.
Hence performance materiality will be a figure which is less than the overall materiality of the job and will take into consideration the general risk associated with the client and the specific risks - for example, by taking into account past uncorrected errors and the probability that undetected errors exist. There is no guidance as to how lower performance materiality should be compared to overall materiality as that would be a matter of judgment for the auditor based on assessed risks.
ISA 402 recognises the increased use of service organisations and the increasing complexity of the ensuing relationships. The revised standard aligns its requirements with the risk assessment standards especially in obtaining an understanding of internal control and the assessment of identified risks. Many entities outsource services that are part of their information system, such as payroll and credit control. The auditor would need to understand the way services organisations are used, the processes affected, the materiality of the areas outsourced, the entity's and the agency's controls over transactions processed externally and the contractual terms involved and to assess the impact of such services on internal control, the potential risks for the financial statements and the impact on the audit approach.
ISA 550, Related Parties has been modified to emphasise procedures that help identify and assess the risk of misstatement of financial statements arising from related party relations and transactions, and produce appropriate responses. Visit www.accaglobal.com/isa550 to see the full impact.
ISA 540, on the auditing of accounting estimates, acknowledges that financial statements contain more estimated amounts than envisaged when the ISAs were originally issued. The ISA 540 revision aims to improve the rigour of the audit of estimates and conforms the approach of estimates auditing to the risk-based approach of the risk assessment and fraud standards.
ISA 540 requires the application of greater rigour and scepticism to the audit of accounting estimates, including the auditor's consideration of possible management bias. It also provides standards and guidance on the auditor's determination and documentation of misstatements and indicators of possible management bias relating to individual estimates.
New specific requirements relevant at planning stage include:
- Obtaining an understanding of how management identifies transactions, events and conditions that may require accounting estimates and how it makes those estimates.
- Reviewing the outcome of accounting estimates made in prior accounting periods or, if applicable, their subsequent re-estimation for the purpose of the current period.
- Evaluating estimation uncertainty in determining whether estimates with high levels of uncertainty give rise to significant risks.
Another new requirement at the performance stage includes performing substantive procedures in response to significant risks, such as evaluating if and how management has considered alternative assumptions and outcomes and dealt with estimation uncertainty. Other procedures would involve obtaining sufficient evidence about the appropriateness of management's decision to recognise or not estimates in the financial statements and the selected measurement basis.
Also new is the requirement to review management's judgments and decisions to identify indicators of management bias.
ISA 580, Written Representations, includes the requirement to obtain written representations. It used to be sufficient for management to acknowledge its responsibilities, but the auditor must now obtain representations that management has fulfilled its responsibility for the preparation of the accounts and for the completeness of information provided to the auditor.
The redrafting of ISA 580 also makes it very clear that written representation merely supports audit evidence and that it does not in isolation provide sufficient audit evidence. The ISA states the representation should support other audit evidence relevant to the accounts or specific assertions in the accounts by means of written representations if determined necessary by the auditor or required by other ISAs. It also states the need to respond appropriately to written representations provided by management and, where appropriate, those charged with governance, or if management or, where appropriate those charged with governance do not provide written representations requested by the auditor.
Written representations by management is required for all audits. If it is not forthcoming, the auditor must:
- discuss the matter with management
- reconsider the management integrity and re-evaluate management representations, both oral and written, and consider the reliability of other audit evidence
- take appropriate actions including the assessment of the lack of representations and its impact on the audit opinion.
If there is sufficient doubt surrounding the representation acknowledging management responsibility for the preparation of the accounts, the information provided on the completeness of the representations by management or the reliability of the information, then the auditor will be required to disclaim their opinion.
A group issue
ISA 600 on group audits codifies more specific procedures to achieve more consistency where a group auditor takes sole responsibility and other auditors perform the audit of components. Effectively, the group auditor is required to get more involved in the work of component auditors.
In particular, the group auditor is required to obtain an understanding of component auditors, including their professional competence and whether they understand, and will comply with, the ethical requirements that are relevant to the group audit.
Glen Collins is head of advisory services and Massimo Laudato is technical adviser at ACCA UK